Cloud

11/26/2014
12:05 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Dangers Of Shopping Are Evolving

Point-of-sale malware is making brick-and-mortar shopping more dangerous. Online, attackers are beginning to value user accounts with payment information attached more than credit card details themselves.

Holiday shopping is dangerous. You could be tackled by other shoppers as you reach for the latest video game. You might go blind staring at your computer screen as you spend hours looking for a gift that is not only perfect, but will also arrive on your doorstep in time for you to smack a bow on it. There are other dangers, though -- and the risks are changing.

Shopping at brick-and-mortar stores is not necessarily any safer than shopping online anymore. In fact, Don Jackson, director of threat intelligence for PhishLabs, told Dark Reading this week that he would rather hand his credit card data to a Web form than to a salesperson.

Why the shift in threat posture? One reason for that is the spate of point-of-sale malware that has made headlines all year. Another is that retailers often work harder to secure their e-commerce sites than their brick-and-mortar shops.

That's not to say that e-commerce sites aren't without their risks. Yet, the kinds of risks are changing. Attackers are moving away from carding and starting to favor account takeover, as new research shows.

"This year, we have determined fraudsters are leveraging more sophisticated attack vectors, focusing increasingly on account takeover, as opposed to the common tactic of credit card cycling," says Ryan Wilk, director of customer success at NuData Security, in a report released Tuesday. "This shows us that thieves are beginning to value user accounts with payment information attached more than credit card details themselves. This puts additional burden on the e-commerce organization to protect their communities."

Researchers at ThreatMatrix are finding the same pattern. In a report last week, Alisdair Faulkner, chief products officer for ThreatMatrix said, "In addition to payment fraud this holiday shopping season, our biggest concern is the spike in the number of account takeovers we are seeing on retail websites. ThreatMetrix data shows an upswing in account takeover activity in the wake of recent massive data breaches -- and most retailers will be caught unprepared.

“Previously, guest checkouts represented the highest risk, but due to the prevalence of data breaches and the convenience of storing credit cards to make mobile purchases easier, fraudsters have found it just as easy to use a stolen username and password as it is to use compromised credit card information that has a shorter life span before being shut down."

The "convenience of storing credit cards to make mobile purchases easier" that Faulkner mentions becomes a greater concern as more shoppers use mobile devices to make purchases. Iovation predicted this week that about 40% of all retail transactions made between Black Friday and Cyber Monday this year will be made from mobile phones and tablets. This segment has been steadily increasing for years. Just five years ago, Iovation found that only 3% of the online retail transactions between Black Friday and Cyber Monday came from mobile devices.

Are you planning to get sore feet trudging around the shopping mall this season, or get sore fingers trolling the Internet? Do security risks affect your decision? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 9:37:18 AM
Re: So what is the correct approach?
@mejiac  Thanks! As far as Apple and Google getting into the mobile payment realm... well I think they're both just trying to get a piece of a business that's growing just fine without them.

Still, Apple Pay is supposed to add stronger multi-factor authentication to every purchase -- that's the good news. The maybe-not-such-good news is that the Apple Pay infrastructure makes you rely on Apple for the lion's share of your payment security -- moreso even than your bank. 

We wrote about it in September:  http://www.darkreading.com/apple-pay-ups-payment-security-but-pos-threats-remain/d/d-id/1315608
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 9:24:28 AM
Re: Glad to have an excuse to miss Black Friday
@David  Generally I hate shopping too, and do a lot online. But honestly, I miss some of the hustle and bustle, and the pretty lights and Christmas music playing, so I'll venture out into the fray just for the experience. I've even found the one cash register in the Times Square Toys R Us that never seems to have a line.  :)

But, I do feel it's a risk management issue. One of my favorite ways to shop is at the outdoor holiday markets they set up in some of the public parks in Manhattan. I worry about carrying cash, because those markets are a pickpocket's dream. But all the stalls in the market are small businesses using very small mobile credit card processing technology. I doubt that security is a big priority for them.

I HOPE that the wireless network for the merchants is separate from the free public wireless available in the park... but I think I ought to check on that.  :)  

 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
12/1/2014 | 9:20:17 AM
Re: Glad to have an excuse to miss Black Friday
But Amazon has gotten way too expensive. The same toy I got at Toysrus on sale for $55 this Thursday is being sold on Amazon for $130! So, happy Amazoning :-)
mejiac
50%
50%
mejiac,
User Rank: Apprentice
11/30/2014 | 12:08:30 PM
So what is the correct approach?
Great article Sarah!

"The "convenience of storing credit cards to make mobile purchases easier" that Faulkner mentions becomes a greater concern as more shoppers use mobile devices to make purchases."

If this is the case, then how come companies like Apple and Google are pushing for the use of more mobil based payment?

I agree that things are more riskier, and the thread of identity theft is greater than ever before.

I for one keep a close eye on all my transactions, and only utilize credit cards that have fraud protection policies.

I see this as something that is inevitable, and thus we need to be more cautiuous, since it's not a matter of if it'll happen or not, is more about "when?"

What does the community think?
Nemos
50%
50%
Nemos,
User Rank: Apprentice
11/30/2014 | 5:07:38 AM
Re: Glad to have an excuse to miss Black Friday
You dont feel safe while shopping in the mall ? , for most of the people is a joy procedure (especially for women's and kids). In addition you can try the small shops around the corner instead of the malls.
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/26/2014 | 12:24:00 PM
Glad to have an excuse to miss Black Friday
I hate shopping, so if I'm incrementally safer doing it on Amazon than at the mall, hooray!
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-9641
PUBLISHED: 2018-05-25
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability.
CVE-2018-10350
PUBLISHED: 2018-05-25
A SQL injection remote code execution vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw within the handling of parameters provided to wcs_bwlists_handler.php. Authentication is requi...
CVE-2018-6232
PUBLISHED: 2018-05-25
A buffer overflow privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x22205C by the tmnciesc.sys driver. An attacker must first obtain the ability...
CVE-2018-6233
PUBLISHED: 2018-05-25
A buffer overflow privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222060 by the tmnciesc.sys driver. An attacker must first obtain the ability...
CVE-2018-6234
PUBLISHED: 2018-05-25
An Out-of-Bounds Read Information Disclosure vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to disclose sensitive information on vulnerable installations due to a flaw within processing of IOCTL 0x222814 by the tmnciesc.sys driver. An attacker must first o...